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Upholding information rights 
1C O. Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 


T. 0303 123 1113 F. 01625 524510 


Information Commissioner’s Office 


Request 


You asked us: 


We received your request on [date of receipt]. 


We have handled your request under the Freedom of Information Act 2000 (the 
FOIA). 


Our response 


Next steps 


You can ask us to review our response. Please let us know in writing if you want 
us to carry out a review. Please do so within 40 working days. 


You can read a copy of our full review procedure here. 
If we perform a review but you are still dissatisfied, you can complain to the ICO 


as regulator of the FOIA. This complaint will be handled just like a complaint 
made to the ICO about any other public authority. 


You can raise a complaint through our website. 


Information Commissioner's Office (Head Office) 
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 
T. 0303 123 1113 F. 01625 524510 


İCO. 


Information Commissioner’s Office 


Your information 


Our Privacy notice explains what we do with the personal data you provide to us, 
and set out your rights. Our retention schedule can be found here. 


Yours sincerely 


4 Information Access Team 
1cO Strategic Planning and Transformation 

© Information Commissioner's Office, Wycliffe House, Water 
Lane, Wilmslow, Cheshire SK9 5AF 
ico.org.uk twitter.com/iconews 
Please consider the environment before printing this email 
For information about what we do with personal 
data see our privacy notice 


information Commissioner's Office 


Section 12 FOIA template 


Our response 


We hold information that falls under the scope of your request. However, 
the information would exceed the cost limit 
set out by section 12 of the Freedom of Information Act 2000 (FOIA). 


OR 


Conducting the searches necessary to confirm if we hold the information 
you have asked for would exceed the cost limit set out by section 12 of 
the Freedom of Information Act 2000 (FOIA). 


[NOTE: If necessary, include this further information] 


The Freedom of Information and Data Protection (Appropriate Limit and 
Fees) Regulations 2004 states that the ‘appropriate limit’ for the ICO is 
£450. We have determined that £450 would equate to 18 hours work. 


[NOTE: If the request concerns extensive, manual searches in the 
case management system, the following paragraph may be 
helpful] 


[Description of information] is not information we normally need for our 


purposes. Our case management system is unable to run a quick 
automated report on this type of information. To locate the information 
you have requested would require a manual search of 

of cases. 


Assuming that each search would take approximately [estimated minutes 
minutes to complete - and it is certain that some searches 


would take much longer than that - this would equate to over 

hours’ worth of searching. This clearly exceeds the 18 hours 
which would accrue a charge of £450 or more, triggering the provisions of 
section 12 of the FOIA. 


Advice and assistance 


[NOTE: Enter details of how the requester can adjust their request 
to bring it under the s.12 limit, if it is possible to do so, such as a 
narrower date range, naming specific organisations they’re 
interested in, etc] 


[NOTE: Include the following optional paragraph if a refined 
request would still require manual searching] 


We would need to consider if it is in the public interest for us to dedicate 
the resources necessary to carry out this kind of search, or whether it 
represents an unreasonable burden on us as a public authority. 


Template for a section 14 grossly oppressive burden 


Our response 


I am refusing the Freedom of Information request you have made 
because the amount of work involved in complying with it would place a 
grossly oppressive burden on our resources, meaning that we are able to 
rely on section 14(1) of the FOIA. 


Section 14(1) FOIA states that: 


"14.—(1) Section 1(1) does not oblige a public authority to comply 
with a request for information if the request is vexatious.” 


The ICO’s guidance explains that: 


"A single request taken in isolation... may be vexatious solely on the 
grounds of burden. That is, where complying with the request would place 
a grossly oppressive burden on your resources which outweighs any value 
or serious purpose the request may have.” 


While we do not doubt that you have a genuine interest in the information 
you have requested, we have determined that the burden placed on our 
resources in complying with this request would outweigh the public 
interest in the requested information. 


Our guidance further provides that, in order to refuse to respond to a 
request under section 14(1) due to burden alone, we should be able to 
establish that the requested information is voluminous, that we have real 
concerns about exempt information being contained within it, and that the 
exempt material is scattered throughout and cannot be easily isolated. I 
have provided further explanation of our consideration of this below. 


[NOTE: Provide an explanation of the volume concerned, what 
potentially withheld information could be held within it (incl. what 
exemptions), and details about why it would be possible to isolate 
withheld from non-withheld information] 


Our guidance states that the threshold for applying section 14 FOIA on 
the basis of burden is a higher one than for section 12 FOIA, which allows 
a public authority to refuse to comply with a request if the necessary 
searches involved in doing so would take longer than 18 hours. We are 
relying on section 14 here because the burden is related to the time 
required for reviewing and redacting the relevant information, rather than 
searching for information that may be in scope. 


[NOTE: Estimate of time required to comply with the request 
based on volume and/or complexity] 


[NOTE: Also, include consideration of any public interest in the 
information and why this does not outweigh the burden of 
compliance] 


We therefore advise that we are refusing to comply with this request 
under section 14(1) of the FOIA. 


Section 21 FOIA template 


Section 21 FOIA 
You can access the information you have requested here: 


Because the information is already reasonably accessible to you, 
technically it is withheld under section 21 of the FOIA. 


[NOTE: Provide further information, if necessary] 
Section 21 states that we don’t need to provide you with a copy of 
information when you already have access to it. 


Section 22 FOIA template 


Section 22 FOIA 
We intend to publish the information you have requested. 
[NOTE: Provide some further details, if possible] 


This means that it is exempt from disclosure under section 22 of the 
FOIA. 


This is not an absolute exemption, which means we must consider the 
public interest in withholding the information. 


The factors in favour of disclosing the information are: 

[NOTE: There is always a general public interest in transparency] 
The factors in favour of withholding the exemption are: 

[NOTE: Section 22 arguments usually focus on the duplication of 
effort necessary for us to put together a disclosure where we are 
already working to get the information ready for wider 


publication, both being routes to providing the information to the 
public. There may be other factors in favour of withholding] 


Having considered these factors, we are satisfied that Dee 


Section 30 FOIA template 


FOIA Section 30 


Some of the information you have requested is exempt from disclosure 
under section 30 of the FOIA. Section 30(1) states: 


“Information held by a public authority is exempt information if it has at 
any time been held by the authority for the purposes of- 


(a) any investigation which the public authority has a duty to conduct 
with a view to it being ascertained- 


(i) whether a person should be charged with an offence, or 
(ii) whether a person charged with an offence is guilty of it, 


(b) any investigation which is conducted by the authority and in the 
circumstances may lead to a decision by the authority to institute criminal 
proceedings which the authority has power to conduct, or 


(c) any criminal proceedings which the authority has power to 
conduct.” 


The information you have requested falls into the category described in 


[relevant section]. Section 30 is not an absolute exemption. With this in 
mind, we have then considered the public interest test for and against 


disclosure. 

In this case the public interest factors in disclosing the information are: 
[NOTE: There is always a general public interest in transparency] 
The factors in withholding the information are: 


[NOTE: Section 30 arguments might focus on how disclosure 
under FOIA might alert individuals/organisations who are under 
investigation] 


Having considered these factors, we are satisfied that [it is appropriate to 


Section 30 FOIA ‘neither confirm nor deny’ template 


FOIA section 30 ‘neither confirm nor deny’ 


We neither confirm nor deny that we hold the information you have 
requested. Section 30(1) states that: 


“Information held by a public authority is exempt information if it has at 
any time been held by the authority for the purposes of- 


(a) any investigation which the public authority has a duty to conduct 
with a view to it being ascertained- 


(i) whether a person should be charged with an offence, or 
(ii) whether a person charged with an offence is guilty of it, 


(b) any investigation which is conducted by the authority and in the 
circumstances may lead to a decision by the authority to institute criminal 
proceedings which the authority has power to conduct, or 


(c) any criminal proceedings which the authority has power to 
conduct.” 


The information you have requested, if held, would fall into the category 


described in [relevant section]. 


Section 30(3) confirms that we are not required to confirm or deny that 
we hold information if it would be exempt from disclosure under any of 
the criteria set out above. However, we must carry out a public interest 
test to weigh whether the public interest favours confirmation or denial. 


In this case the public interest factors favour are: 
[NOTE: There is always a general public interest in transparency] 
The factors against are: 


[NOTE: Section 30 arguments might focus on how disclosure 
under FOIA might alert individuals/organisations who are under 
investigation. With NCND responses, there is also a consideration 
about preserving the integrity of other NCND responses] 


Having considered these factors, we are satisfied that we can rely on 
section 30 to neither confirm nor deny that we hold the information you 
have requested. 


Section 31 FOIA template 


FOIA section 31 


Some of the information you have requested is exempt from 
disclosure under section 31(1)(g) of the FOIA. We can rely on 
section 31(1)(g) of the FOIA where disclosure: 


“would, or would be likely to, prejudice... the exercise by any public 
authority of its functions for any of the purposes specified in 
subsection (2).” 


In this case the relevant purposes contained in subsection 31(2) are 
31(2)(a) and 31(2)(c) which state: 


“(a) the purpose of ascertaining whether any person has failed to 
comply with the law... 

(c) the purpose of ascertaining whether circumstances which would 
justify regulatory action in pursuance of any enactment exist or 
may arise ...” 


Section 31 is not an absolute exemption, and we must consider the 
prejudice or harm which may be caused by disclosure. We also have 
to carry out a public interest test to weigh up the factors in favour 
of disclosure and those against. 


[NOTE: The following are examples of prejudice arguments] 


Our investigation into [organisation name] is still ongoing. To 


release the information you have requested could prejudice the 
ICO’s ability to conduct the investigation in an appropriate manner. 
Disclosure at this stage would discourage our ongoing discussions 
between the ICO and and may damage our 
ability to conduct and conclude the investigation fairly and 
proportionately. 


Disclosure could also jeopardise the ICO’s ability to obtain 
information relating to this case or others in the future. 


Disclosure is likely to result in other parties being reluctant to 
engage with the ICO in the future. 


Any information released at this stage could be misinterpreted, 
which in turn could distract from the investigation process. 


[NOTE: The following is an example of a public interest 
argument] 


With this in mind, we have then considered the public interest test 
for and against disclosure. 


In this case the public interest factors in disclosing the information 
are: 


e increased transparency in the way in which [organisation 
has responded to the ICO’s enquiries; and 
e increased transparency in the way in which the ICO conducts 
its investigations. 


The factors in withholding the information are: 


e the public interest in maintaining organisations’ trust and 
confidence that their replies to the ICO’s enquiries will be 
afforded an appropriate level of confidentiality; 

e the public interest in organisations being open and honest in 
their correspondence with the ICO without fear that their 
comments will be made public prematurely or, as appropriate, 
at all; and 

e the public interest in maintaining the ICO’s ability to conduct 
the investigation into complaints as it thinks fit, 


Having considered these factors, we are satisfied that [it is 


Section 36 FOIA template 


FOIA section 36 


Some of the information you have requested is exempt from disclosure 
under section 36 of the FOIA. Section 36(2)(c) provides that - 


“Information to which this section applies is exempt information if, in the 
reasonable opinion of a qualified person, disclosure of the information 
under this Act- 


(c) would otherwise prejudice, or would be likely otherwise to prejudice, 
the effective conduct of public affairs.” 


Section 36 is not an absolute exemption, and we must consider the 
prejudice or harm which may be caused by disclosure. We also have to 
carry out a public interest test to weigh up the factors in favour of 
disclosure and those against. 


Having sought the opinion of the qualified person, I can confirm the 
prejudice to disclosure of this information is 

With this in mind, we have then considered the public interest test for and 
against disclosure. 

In this case the public interest factors in disclosing the information are: 
[NOTE: There is always a general public interest in transparency] 
The factors in withholding the information are: 

[NOTE: Section 36 arguments are very request-dependent, but 
historically we have weighed the value of mutual cooperation with 


stakeholders during important, far-reaching work which would be 
affected by disclosure while the matter was live and ongoing] 


Having considered these factors, we are satisfied that e 


Section 40(2) FOIA template 


FOIA section 40(2) 


You will see that some third party personal data has been redacted 
in our response. It is exempt under section 40(2) of the FOIA. 


[NOTE: Provide more information, if necessary] 


Disclosure of this data would break the first principle of data 
protection - that personal data is processed lawfully, fairly and ina 
transparent manner. 


There is no strong legitimate interest that would override the 
prejudice that disclosure would cause to the rights and freedoms of 
the individuals concerned. So we are withholding the information 
under section 40(2) of the FOIA. 


Section 40(2) NCND FOIA template 


FOIA section 40(2) 


We neither confirm nor deny that we hold the information you have 
requested. Section 40(2) FOIA states: 


“Any information to which a request for information relates is also exempt 
information if— 


(a) it constitutes personal data which does not fall within subsection 
(1), and 


(b) the first, second or third condition below is satisfied.” 
Section 40(3A), which sets out one of the three conditions, states: 


"(3A) The first condition is that the disclosure of the information to a 
member of the public otherwise than under this Act— 


(a) would contravene any of the data protection principles” 
Finally, section 40(5B)(a) states: 


“The duty to confirm or deny does not arise in relation to other 
information if or to the extent that any of the following applies— 


(a) giving a member of the public the confirmation or denial that would 
have to be given to comply with section 1(1)(a)— 


(i) would (apart from this Act) contravene any of the data protection 
principles” 


You have requested information held about [request details]. This 
information, if held, would constitute the personal data of those 
individuals as it relates to an identified natural person. Section 40(2) of 
FOIA exempts disclosure of the personal data of others, subject to 
conditions. 


Section 40(3A)(a) details one of these conditions. In my view, this 
condition would be met in this case because disclosure of the information 
you have requested, if held at all, would break the first principle of data 
protection - that personal data is processed lawfully, fairly and ina 
transparent manner. Therefore, the information you have requested, if 
held, would be exempt from disclosure. 


I also consider confirmation or denial would itself contravene the data 
protection principles because it would reveal personal data. Therefore, our 
response to your request is we can neither confirm nor deny that we hold 
the information you have requested. 


Section 42 FOIA template 


FOIA section 42 


Some of the information you have requested is subject to legal 
professional privilege and is exempt from disclosure under section 42 of 
the FOIA. Section 42(1) of the FOIA states: 


“Information in respect of which a claim to legal professional privilege or, 
in Scotland, to confidentiality of communications could be maintained in 
legal proceedings is exempt information. ” 


There are two types of privilege covered by the exemption at section 42. 
These are: 


e Litigation privilege; and 
e Advice privilege. 


Litigation privilege covers confidential communications between the client 
and lawyer made for the purpose of preparing for existing or anticipated 
legislation. Advice privilege covers such communications when they’re 
made for the purpose of seeking or giving legal advice. We find that the 
information in scope of your request is subject to 


Section 42 is not an absolute exemption, so we must consider whether 
the public interest favours withholding or disclosing the information. 


In this case the public interest factors in disclosing the information are: 
[NOTE: There is always a general public interest in transparency] 
The factors in withholding the information are: 


[NOTE: Typically, public interest factors against disclosure of 
material subject to legal privilege concern the fact that legal 
professional privilege is a really important principle of the legal 
system. There is also public interest in maintaining the ability for 
legal advisors and clients to be able to have full and frank 
discussions without the feat that such information will be 
potentially made public] 


Having considered these factors, we are satisfied that [it is appropriate to 


Section 43 FOIA template 


FOIA section 43 


Some of the information you have requested is exempt from disclosure 
under section 43 of the FOIA. Section 43(1) states: 


“Information is exemption information if its disclosure under this Act 
would, or would be likely to, prejudice the commercial interests of any 
person (including the public authority holding it).” 


A ‘person’ may be an individual, a company, the public authority itself or 
any other legal entity. Our guidance on what constitutes a commercial 
interest states: 


"A commercial interest relates to a person’s ability to participate 
competitively in a commercial activity.” 


Section 43 is not an absolute exemption, and we must consider the 
prejudice or harm which may be caused by disclosure. We also have to 
carry out a public interest test to weigh up the factors in favour of 
disclosure and those against. 


We find that disclosure of this information would prejudice the commercial 
interests of [affected person] because 


With this in mind, we have then considered the public interest test for and 
against disclosure. 


In this case the public interest factors in disclosing the information are: 
[NOTE: There is always a general public interest in transparency] 
The factors in withholding the information are: 


[NOTE: Section 43 public interest arguments are often highly 
specific. However, for the ICO, arguments against disclosure may 
include the ICO being able to negotiate and secure services on 
beneficial terms that ensure the best value for money, without 
prejudicing organisations who are contracting with. It may also 
harm an organisation’s ability to effectively negotiate with other 
clients besides the ICO] 


Having considered these factors, we are satisfied that O 


Section 44 FOIA working with section 132 DPA template 


FOIA Section 44 and DPA section 132 
[NOTE: Short version] 


Some information has been withheld under section 44 of the FOIA. 
Section 44(1)(a) states: 


"(1) Information is exempt information if its disclosure (otherwise than 
under this Act) by the public authority holding it - 


(a) is prohibited by or under any enactment” 


The enactment in question is the Data Protection Act 2018. Section 
132(1) of part 5 of that Act states that: 


"A person who is or has been the Commissioner, or a member of the 
Commissioner's staff or an agent of the Commissioner, must not disclose 
information which— 


(a) has been obtained by, or provided to, the Commissioner in the course 
of, or for the purposes of, the discharging of the Commissioner’s 
functions, 


(b) relates to an identified or identifiable individual or business, and 

(c) is not available to the public from other sources at the time of the 
disclosure and has not previously been available to the public from other 
sources, 

unless the disclosure is made with lawful authority.” 

Section 132(2) lists circumstances in which a disclosure can be made with 
lawful authority, however none of them apply here. As a result the 
information is exempt from disclosure. 


[NOTE: Longer version] 


We can confirm that: 


° The information was [obtained by/provided to] the Commissioner 


in order to carry out their functions. 
° The information relates to an identifiable business, specifically - 


° The information is not, and was not previously, publicly available 
from other sources. 


As a result we cannot disclose the information unless we have lawful 
authority. 


Section 132(2) of the DPA provides conditions in which disclosure could 
be made with lawful authority. We have therefore considered each 
condition in turn: 


“(a) the disclosure was made with the consent of the individual or of the 
person for the time being carrying on the business,” 


I can confirm that we do not have consent to disclose this information. 


"“(b) the information was obtained or provided as described in subsection 
(1)(a)for the purpose of its being made available to the public (in 
whatever manner),” 


The information was not obtained by or provided to the Commissioner as 
part of their regulatory role in order to make it available to the public and 
for this reason we are treating it as confidential. 


“(c) the disclosure was made for the purposes of, and is necessary for, 
the discharge of one or more of the Commissioner’s functions,” 


We find that disclosure is not necessary in order to fulfil any of their 
functions. 


“(e) the disclosure was made for the purposes of criminal or civil 
proceedings, however arising,” 


Disclosure would not be for the purposes of criminal or civil proceedings. 


“(f) having regard to the rights, freedoms and legitimate interests of any 
person, the disclosure was necessary in the public interest.” 


We do not consider it necessary or justifiable to disclose this information 
as there is no compelling public interest to do so. The Commissioner and 
his staff risk criminal liability if they disclose information without lawful 
authority. The right of access under the FOIA is not sufficient to override 
these important factors and the information is therefore withheld. 


® 
Upholding information rights 
1C O. Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 


T. 0303 123 1113 F. 01625 524510 


Information Commissioner’s Office 


Dear [Name] 
Case Reference [case reference] 


Response to request for information 

Further to our acknowledgement of J we can now 
respond to your information request of ; 

Request 


You asked us for: 


We received your request on [date of receipt]. 


We have handled this as a subject access request (SAR). 
[NOTE: If necessary, include this further information] 


The right of access is provided by Article 15 of the UK General Data Protection 
Regulation (UK GDPR). Where any of the information we have provided to you 
falls outside the definition of your personal data, we are providing it to you on a 
discretionary basis. 


Information Commissioner's Office (Head Office) 
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 SAF 
T. 0303 123 1113 F. 01625 524510 


1CO. 


Information Commissioner's Office 


Our response 


We have searched our records based on the information you provided. 


OPTION 1: NOTHING HELD 
We are unable to locate the personal data you have requested. 


[NOTE: provide further clarification — why not? Did we ever hold it?] 


OPTION 2: FULL DISCLOSURE 


Please find attached a copy of the information you requested. 


OPTION 3: THIRD PARTY PERSONAL DATA 


Please find attached a copy of the personal data you requested. We have 
some information because it relates to a third party. 


[NOTE: If necessary, include this further information] 


The Data Protection Act 2018 makes it clear that we are not required to provide 
copies of your personal data when doing so would also disclose data about 
someone else. Therefore we have some information in 
accordance with paragraph 16 of Schedule 2 of the DPA. 


Paragraph 16(1) of Schedule 2 of the Data Protection Act 2018 (DPA) states that 
the individual rights provided by GDPR, such as subject access: 


“do not oblige a controller to disclose information to the data subject to the 
extent that doing so would involve disclosing information relating to another 
individual who can be identified from the information.” 


1CO. 


Information Commissioner's Office 


Paragraphs 16(2) explains that personal data of a third party can be disclosed if 
the other individual has consented to the disclosure of the information to the 
data subject, or when it is reasonable to disclose the information to the data 
subject without consent. 


Paragraphs 16(3) provides examples of relevant circumstances for considering 
whether disclosure would be reasonable without consent. In this instance it would 
not be reasonable to disclose the third party information without consent. 


[NOTE: For the following options — we usually end up using Option 4 and 
Option 5 together, when another organisation has told us they don’t 
want us to disclose info they provided to us. Disclosure would prejudice 
our function AND go against the prohibitions on disclosure] 


OPTION 4: Regulatory function of the Commissioner 


Some information has been [withheld/redacted] because providing it would be 
likely to prejudice our function as regulator. 


The disclosure of this information would prejudice our function because [explain 


[NOTE: If you have withheld entire documents, and if it is possible to do 
so without causing prejudice, it’s useful to give a brief description of the 
type of information withheld, ie “we have withheld some emails between 
the ICO and the Controller regarding their handling of your personal 
data”’] 


[NOTE: If necessary, include this further information] 


Paragraph 11 of Schedule 2 of the Data Protection Act 2018 (the DPA) lists the 
Commissioner as a body that carries out regulatory functions and can refuse an 
individual access in the event that disclosure would be likely to prejudice those 
functions. 


OPTION 5: Prohibitions on disclosure 
Some information has been [withheld/redacted] because it was provided to us by 


another individual or business for the purposes of us carrying out our regulatory 
functions, and we do not have lawful authority to disclose it. 


1CO. 


Information Commissioner's Office 


[NOTE: If necessary, include this further information] 


Section 132 of the Data Protection Act imposes criminal liability on ICO staff if we 
disclose information related to an identifiable individual or business which was 
provided to the ICO for the purposes of carrying out our regulatory functions, 
unless we have the lawful authority to do so, or it has already been made public 
from another source. 


Next steps 


Please let us know if you have questions about the way we’ve handled your 
request. 


If we can’t answer in a way that satisfies you, or we took too long to respond to 


your request, you can make a complaint to the ICO as regulator for data 
protection. This complaint will be handled just like a complaint made to the ICO 


about any other controller. You can make a complaint through our website. 


You also have the right to apply to a court if you believe that there has been a 
contravention of your rights. 


Your information 


Our Privacy notice explains what we do with the personal data you provide to us, 
and set out your rights. Our retention schedule can be found here. 


Yours sincerely 


o Information Access Team 
1CO Strategic Planning and Transformation 

© Information Commissioner’s Office, Wycliffe House, Water 
n Lane, Wilmslow, Cheshire SK9 5AF 


ico.org.uk twitter.com/iconews 

Please consider the environment before printing this email 
For information about what we do with personal 
data see our privacy notice 


Information Commissioner's Office 


® 
Upholding information rights 
1C O. Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 


T. 0303 123 1113 F. 01625 524510 


Information Commissioner’s Office 


Dear [Name] 
Case Reference [case reference] 


Response to request for rectification of personal data 


In your email of [request date] you told us that some personal data we hold 
about you is inaccurate. You said: 


We have handled this as a request that we rectify the personal data you’ve 
identified. 


[NOTE: If necessary, include this further information] 


Article 16 of the UK General Data Protection Regulation (UK GDPR) gives you the 
right to have your personal data rectified if it is inaccurate. 


Our response 


We have taken into account your arguments about the accuracy of your personal 
data. 


OPTION 1: DATA IS ACCURATE 


The UK GDPR does not define accuracy. However, the Data Protection Act 2018 
states that personal data is inaccurate if it is incorrect or misleading. 


Information Commissioner's Office (Head Office) 
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 SAF 
T. 0303 123 1113 F. 01625 524510 


1CO. 


Information Commissioner's Office 


We do not agree that the personal data you have contacted us about is factually 
inaccurate. 


[NOTE: If necessary, include this further information] 


The personal data that we hold about you is an accurate version of the 
information that was originally . It is important 
that we hold a correct and accurate version of that record. 


We have added a note to your case file explaining that you disagree with the 
accuracy of the personal data, for the reasons explained in your email. 


OPTION 2: WILL RECTIFY 


We agree that the information we hold is inaccurate. We have taken the following 
steps to rectify it: 


OPTION 3: WILL NOT RECTIFY DUE TO PREJUDICE TO REGULATORY 
FUNCTIONS 


We agree that the information we hold is inaccurate. However, we do not intend 
to alter the record which we hold. We will place a note in the relevant case file 
that details your concerns about the accuracy of the data. However, our position 
is that altering the records we hold by rectifying your personal data would 
prejudice our regulatory function. 


[NOTE: Provide prejudice arguments here] 
Next steps 


Please let us know if you have questions about the way we’ve handled your 
request. 


If we can’t answer in a way that satisfies you, or we took too long to respond to 
your request, you can make a complaint to the ICO as regulator for data 

protection. This complaint will be handled just like a complaint made to the ICO 
about any other data controller. You can make a complaint through our website. 


You also have the right to apply to a court if you believe that there has been a 
contravention of your rights. 


Your information 


1CO. 


Information Commissioner's Office 


Our Privacy notice explains what we do with the personal data you provide to us, 
and set out your rights. Our retention schedule can be found here. 


Yours sincerely 


o Information Access Team 
1CO Strategic Planning and Transformation 

: o Information Commissioner's Office, Wycliffe House, Water 
Pe Lane, Wilmslow, Cheshire SK9 5AF 


ico.org.uk twitter.com/iconews 

Please consider the environment before printing this email 
For information about what we do with personal 
data see our privacy notice 
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T. 0303 123 1113 F. 01625 524510 


Information Commissioner’s Office 


Dear [Name] 


Case Reference [case reference] 


Response to request for erasure of personal data 


In your email of [request date] you said: 


We have handled this as a request that we erase your personal data. 


[NOTE: If necessary, include this further information] 


Article 17 of the UK General Data Protection Regulation (UK GDPR) gives you the 
right to have personal data erased in certain circumstances: 


Where the personal data is no longer necessary in relation to the purpose 
for which it was originally collected or processed; 

When the data subject withdraws consent; 

When the data subject objects to the processing and there is no overriding 
legitimate interest for continuing the processing; 

The personal data was unlawfully processed (ie otherwise in breach of the 
UK GDPR); 

The personal data has to be erased in order to comply with a legal 
obligation; 

The personal data is processed in relation to the offer of information society 
services to a child. 


In this case, your grounds for requesting erasure are [state request reasons]. 
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Our Response 
OPTION 1: NOTHING HELD 


We searched our systems using the information you provided. We didn’t find any 
records relating to you. 


If you are certain we hold your data, we can look again. Please tell us what 
contact you had with us in the past that you think has led to us holding your 
data. 


OPTION 2: WE AGREE TO ERASURE 


We have deleted/will delete the personal data we hold on you by [date of 


. When your personal data has been deleted it will not be accessible, 
and so will be considered to be beyond use. 


[NOTE: If we have passed information to other organisations we need to 
inform them that it has been erased from our systems. You need to 
include one of the options below] 


We have disclosed some of your personal data to [organisation/s]. We have 
informed them that we have erased your personal data. 


[or] 


Although we have disclosed some of your personal data to [organisation/s], it 
has not been possible to inform them that we have agreed to erase your data, for 
the following reasons 


[or] 


Although we have disclosed some of your personal data to [organisation/s], we 
haven't informed them that we have agreed to erase your data. Contacting them 
would put an unreasonable burden on our limited resources 


OPTION 3: REFUSAL DUE TO OVERRIDING LEGITIMATE INTEREST 


Having carefully considered your request, we have decided that our need to carry 
out our public task overrides your right to request erasure. 
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This is because [provide overriding legitimate interests]. 


Over time our need to hold your personal data will decrease. We will delete it in 
line with our retention schedule, which you can view here: Retention and disposal 
schedule. 


OPTION 4: REFUSING DUE TO PREJUDICE TO REGULATORY FUNCTION 


We are able to refuse an erasure request if we consider that complying with it 
would be likely to prejudice our regulatory function. 


Erasing your personal data would [describe prejudice of erasure]. 


Over time our need to hold your personal data will decrease. We will delete it in 
line with our retention schedule, which you can view here: Retention and disposal 
schedule. 


Next steps 


Please let us know if you have questions about the way we’ve handled your 
request. 


If we can’t answer in a way that satisfies you, or we took too long to respond to 
your request, you can make a complaint to the ICO as regulator for data 
protection. This complaint will be handled just like a complaint made to the ICO 
about any other data controller. You can make a complaint through our website. 
You also have the right to apply to a court if you believe that there has been a 
contravention of your rights. 


Your information 


Our Privacy notice explains what we do with the personal data you provide to us, 
and set out your rights. 


Yours sincerely 


1CO. 


Information Commissioner's Office 


İCO. 


information Commissioner's Office 


Information Access Team 

Strategic Planning and Transformation 

Information Commissioner's Office, Wycliffe House, Water 
Lane, Wilmslow, Cheshire SK9 5AF 

ico.org.uk twitter.com/iconews 

Please consider the environment before printing this email 
For information about what we do with personal 
data see our privacy notice 
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Information Commissioner’s Office 


Dear [Name] 
Case Reference [case reference] 


Response to request for restriction of processing of personal data 
In your email of [request date] you said: 


We've handled this as a request that we restrict our processing of your personal 
data. 


[NOTE: If necessary, include this further information] 


Article 18 of the UK General Data Protection Regulation (UK GDPR) provides you 
with the right to instruct a data controller to stop using your data. This is called 
restriction of processing. It means that a data controller can hold your data, but 
can't use it. 


This right only applies in the following circumstances: 


e Where an individual contests the accuracy of the personal data held, the 
controller will restrict that processing until its accuracy has been verified. 

e When processing is unlawful and an individual opposes erasure and 
requests restriction instead. 

e If the controller no longer needs your personal data but you need it to 
establish, exercise or defend a legal claim. 

e You have objected to the controller processing your data, and the controller 
is considering whether their legitimate grounds override your rights. 
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In this case you have asked us to restrict the processing of your personal data 
because 


Our Response 
OPTION 1: RESTRICTION APPROVED 


We have restricted your personal data. We need to retain some of your personal 
data to make sure that we can maintain the restriction of your personal data in 
future. 


If we need to lift the restriction on your personal data, we will let you know. 


[NOTE: If we have passed information to other organisations, we will 
need to inform them that it has been restricted. Include one of the 
following] 


We have disclosed some of your personal data to [organisation/s]. We have 
informed them that we have restricted your personal data. 


[or] 


Although we have disclosed some of your personal data to [organisation/s], it 
has not been possible to inform them that we have agreed to restrict your data, 
for the following reasons 


[or] 

Although we have disclosed some of your personal data to [organisation/s], we 
haven't informed them that we have agreed to restrict your data. Contacting 
them would put an unreasonable burden on our limited resources 


OPTION 2: RESTRICTION REQUEST DENIED 


We restricted use of your data while we considered its accuracy [and/or] our 
grounds for processing it. 


However, I consider that it is accurate we do have legitimate grounds 
for processing your data . This means that we will continue to 


process it. 
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OPTION 3: NO RESTRICTION AS EXEMPTION APPLIES 


I am refusing your request. If we restrict our processing of your data, it will 
prejudice the performance of our regulatory functions. 


This is because [provide prejudice reasoning]. 

[NOTE: If necessary, include this further information] 

Paragraph 11 of Schedule 2 of the Data Protection Act 2018 lists the 
Commissioner as a body that carries out regulatory functions. We can refuse a 
request to restrict the processing of personal data if the restriction would be 
likely to prejudice those functions. 


Next steps 


Please let us know if you have questions about the way we’ve handled your 
request. 


If we can’t answer in a way that satisfies you, or we took too long to respond to 
your request, you can make a complaint to the ICO as regulator for data 

protection. This complaint will be handled just like a complaint made to the ICO 
about any other data controller. You can make a complaint through our website. 


You also have the right to apply to a court if you believe that there has been a 
contravention of your rights. 


Your information 


Our Privacy notice explains what we do with the personal data you provide to us, 
and set out your rights. Our retention schedule can be found here. 


Yours sincerely 


1CO. 


Information Commissioner's Office 


İCO. 


information Commissioner's Office 


Information Access Team 

Strategic Planning and Transformation 

Information Commissioner's Office, Wycliffe House, Water 
Lane, Wilmslow, Cheshire SK9 5AF 

ico.org.uk twitter.com/iconews 

Please consider the environment before printing this email 
For information about what we do with personal 
data see our privacy notice 


Internal email to email to Group Manager about 
restriction 


We have been contacted by [data subject] who has requested that 
we restrict the processing of their data. 


We need to restrict processing while we consider its accuracy/our 
legitimate grounds for continuing to process it. 


Please arrange for the restriction to be clearly noted in the titles of 
the following cases: 


We will let you know if we decide to lift this restriction. 
Please let us know if you have any questions. 


Thanks 
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Information Commissioner’s Office 


Dear [Name] 
Case Reference [case reference] 


Response to objection of processing request 


In your email of [request date] you said: 


We've handled this as an objection to our processing of your data. 

[NOTE: If necessary, include this further information] 

Article 21 of the General Data Protection Regulation (GDPR) gives you the right 
to object to processing of personal data. It only applies when our basis for 
processing your data is that it is in our legitimate interests, necessary for the 
performance of a task in the public interest or for the exercise of official 
authority. 


We can continue processing your personal data if there are compelling grounds 
for doing so, or during the process of a legal claim. 


Our response 
OPTION 1: WE AGREE TO STOP PROCESSING 


We will stop processing your personal data from [date]. 
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OPTION 2: REFUSAL DUE TO PROCESSING BEING NECESSARY FOR 
PUBLIC TASK 


We need to continue processing your personal data. Our need to perform our 
public task as a regulator overrides your right to object. 


OPTION 3: REFUSAL DUE TO PREJUDICE TO REGULATORY FUNCTION 


In this case, we need to continue processing your personal data. If we stopped, it 
would prejudice our ability to perform our regulatory function. 


This is because [provide prejudice reasoning]. 


[NOTE: If necessary, include this further information] 


Paragraph 11 of Schedule 2 of the Data Protection Act 2018 lists the 
Commissioner as a body that carries out regulatory functions. We can refuse 
your objection to our processing of your data if we considers that this would be 
likely to prejudice those functions. 


Next steps 


Please let us know if you have questions about the way we’ve handled your 
request. 


If we can’t answer in a way that satisfies you, or we took too long to respond to 
your request, you can make a complaint to the ICO as regulator for data 

protection. This complaint will be handled just like a complaint made to the ICO 
about any other data controller. You can make a complaint through our website. 


You also have the right to apply to a court if you believe that there has been a 
contravention of your rights. 


Your information 


Our Privacy notice explains what we do with the personal data you provide to us, 
and set out your rights. Our retention schedule can be found here. 


Yours sincerely 


1CO. 


Information Commissioner's Office 


İCO. 


information Commissioner's Office 


Information Access Team 

Strategic Planning and Transformation 

Information Commissioner's Office, Wycliffe House, Water 
Lane, Wilmslow, Cheshire SK9 5AF 

ico.org.uk twitter.com/iconews 

Please consider the environment before printing this email 
For information about what we do with personal 
data see our privacy notice 


Internal consultation template 


Hello, 


We have received an [FOI request/SAR], and we think your 


team/department hold some or all of the information requested. 


We have been asked for: [Request wording] 


We would be grateful if you could respond to the questions below. 


As far as you are aware, do we 
hold this information? 

If so, please provide us with 
copies, or share a link to where 
it’s stored. 

Do you think that we need to 
withhold any of the 
information? 


If so, why? 

Please explain what harm 
would be caused to the ICO or 
any other 
individual/organisation by 
disclosure of this information. 


It’s not necessary for you to 
cite specific exemptions. 

Are you aware of any other 
individuals/teams that might 
hold information relevant to 
this request? 


Because this request has a statutory time limit, please respond by: [Date] 


If you have any questions, please let us know. 


Template for external consultation following an FOI 
request 


Information request to the ICO 


The Information Commissioner's Office (ICO) has received a request 
for information under the Freedom of Information Act 2000 (FOIA). 
This is being handled by the ICO's Information Access Team. 


We have been asked to disclose [briefly describe request]. 


As you are probably aware the FOIA provides individuals with the 

right of access to information held by a public authority. Although 

we are exempt from disclosing certain types of information, it is in 
the public interest that we are open, transparent and accountable 
for the work that we do. 


However, it is important to note that a release under FOIA is 
applicant blind and therefore effectively a release to the wider 
world. 


I have attached a copy of the information in scope of the request for 
your convenience. They include 


We would therefore be grateful for your assistance in dealing with 
this request. Having considered the information attached please 
confirm: 


1. If you have any objections to any of the information being 
disclosed to the requester. If you have objections, please 
indicate clearly the information you would wish to be 
withheld, and why, so that your views can be taken into 
account. 


2. If you have any concerns about your own information and 
that of your colleagues, such as names and contact details, 
being disclosed. 


If you have no concerns, please make this clear in your response. 


Due to the statutory deadlines for complying with this information 
request please reply by the end of the day on 

required]. If there are any difficulties meeting this deadline do let 
us know. 


I hope the purpose of this email is clear but do contact me directly 
if you wish to discuss any aspect of this request. 


In the meantime, it would be helpful if you could acknowledge 
receipt of this email. 


I look forward to hearing from you shortly. 


Yours sincerely 


You should be aware that the Information Commissioner’s Office often receives 
requests for copies of the letters we send and receive when dealing with 
complaints and information requests. Please indicate whether any of the 
information you provide in connection with this matter is confidential, or for any 
other reason should not be disclosed to anyone who requests it. You should 
provide a good reason why this information should not be disclosed to anyone 
else and explain this clearly and fully. 


Template for external consultation following a SAR 


Information request to the ICO 


The Information Commissioner's Office (ICO) has received a request 
for information from which is being dealt with 
by the ICO's Information Access Team. 


Bra has asked that we provide them with [briefly 


We are therefore handling their request under the right of subject 
access in data protection legislation. We can also consider providing 
the requester with information which is not their personal data on a 
discretionary basis, given their association with this matter. 


As you are probably aware, data protection legislation provides 
individuals with the right of access to information held about them. 
Although we are exempt from disclosing certain types of 
information, it is in the public interest that we are open, transparent 
and accountable for the work that we do. 


I have attached a copy of the information in scope of the request for 
your convenience. It includes 


We would therefore be grateful for your assistance in dealing with 
this request. Having considered the information attached please 
confirm: 


1. If you have any objections to any of the information being 
disclosed to the requester. If you have objections, please 
indicate clearly the information you would wish to be 
withheld, and why, so that your views can be taken into 
account. 


2. If you have any concerns about your own information and 
that of your colleagues, such as names and contact details, 
being disclosed. 


If you have no concerns, please make this clear in your response. 


Due to the statutory deadlines for complying with this information 
request please reply by the end of the day on 

required]. If there are any difficulties meeting this deadline do let 
us know. 


I hope the purpose of this email is clear, but do contact me directly 
if you wish to discuss any aspect of this request. 


In the meantime, it would be helpful if you could acknowledge 
receipt of this email. 


I look forward to hearing from you shortly. 


Yours sincerely 


You should be aware that the Information Commissioner’s Office often receives 
requests for copies of the letters we send and receive when dealing with 
complaints and information requests. Please indicate whether any of the 
information you provide in connection with this matter is confidential, or for any 
other reason should not be disclosed to anyone who requests it. You should 
provide a good reason why this information should not be disclosed to anyone 
else and explain this clearly and fully. 


Template for clarifying requests 


Dear [name] 


Thank you for your recent request for information. We received your 
request on 


I have started to consider your request. Before I can progress your 
request, I would like to ask you for some clarification about the 
information you are trying to access. Without this clarification we are not 
able to respond to your request. 


You have asked for: [request that needs clarification] 


[NOTE: You should provide some rationale as to why you do not 
consider the request is clear. Remember to provide advice and 
assistance to help the requester. This might include suggesting 
information we do hold in the area the requester is looking to 
explore or information that might already be published and where 
this is available. ] 


If you would like us to progress your request please respond providing the 
above clarification as soon as possible. Once we understand what 
information you are trying to access we will respond to you within 


If we do not receive your clarification within 28 calendar days then we will 
consider your request to be withdrawn and you will not receive a 
response. If you would like to withdraw your request there is no need to 
respond to this. 


If you would like to discuss your request please contact me using the case 
reference number above. 


Thank you for your interest in the work of the Information 
Commissioner's Office. 


PIT Extension template 


Thank you for your request for information of [date]. 


I can confirm that the ICO does hold information within scope of your 
request. 


The information consists of which is exempt 
pursuant to section of the Freedom of Information Act 
2000 (FOIA). 


The exemption at section [section number] refers to circumstances where 
the disclosure of information: 


[NOTE: Insert prejudice test of relevant section, eg section 31 
would be: “would, or would be likely to, prejudice... the exercise 
by any public authority of its functions for any of the purposes 
specified in subsection (2).”] 


[NOTE: Additionally, if there are any other sections that are 
relevant, such as sections 31(2)(a) and 31(2)(c) when using 
section 31, include these too] 


This applies to the information we hold about [describe information with 


. The prejudice of disclosure of this information is 


The exemption at section [section number] is not absolute and we must 
now perform a public interest test to determine whether the exemption 
falls away or is maintained. 


Section 10(3) of the FOIA enables an authority to extend the 20 working 
day limit up to a ‘reasonable’ time in any case where it requires more 
time to determine whether or not the balance of the public interest lies in 
maintaining an exemption. 


The FOIA does not define what might constitute a ‘reasonable’ extension 
of time. However, the ICO’s view is that an authority should normally take 
no more than an additional 20 working days to consider the public 
interest, meaning that the total time spent dealing with the request 
should not exceed 40 working days. 


We will therefore respond to you by [date] unless we are in a position to 
respond earlier. Should we not be in a position to respond by that date we 
will provide a further update. 


Internal review template 


Review of response to information request 


I write further to your email of [date of IR request] in which you 
requested a review of the handling of your request dealt with under 
the reference number f 


Section 45 of the Freedom of Information Act 2000 (FOIA) requires 
the publication of a code of practice, designed to assist public 
authorities handle requests under the FOIA. 


This guide recommends that public authorities put in place an 
internal review process for FOIA responses, which our guide 

suggests should be triggered whenever a requester expresses 
dissatisfaction with the outcome of a request they have made. 


The purpose of an internal review is to look again at your request, 
at our response, and to check that any exemptions applied were 
appropriate. 


As a result we have conducted an internal review of our response to 
your information request. I am a [job title] in the Information 
Access Team and I can confirm that I have had no prior 
involvement in the handling of this request. 


Request and response 


On [date of request] we received a request from you which sought 
the following information: 


m OO or by advising you that [provide a 


Review 


Complaint procedure 


If you consider that your request for personal data has not been 
dealt with correctly under data protection legislation, you have a 
right of appeal to this office in our capacity as the statutory 
complaint handler under the GDPR and Data Protection Act 2018. 


To make such an application, please write to our public advice and 
data protection complaints department at the address below, or 
visit the ‘Make a complaint’ section of our website. 


If you are dissatisfied with the outcome of this review you can make 
a formal complaint with the ICO in its capacity as the regulator of 
the Freedom of Information Act 2000. Please follow the link below 


to submit your complaint: https://ico.org.uk/make-a-complaint/. 


Yours sincerely 


Acknowledge new information request 


Thank you for your recent request for information. We received 
your request on [received date]. Your request will be allocated to an 
Information Access Officer who will contact you under the reference 
number above in due course. 


In summary, your request is: [Request wording] 


Under statutory timeframes our response to your request is due by 
. If you have any queries about this information request 
you may email us, quoting our reference number in the subject line. 


Please note that Information Access Officers are only able to 
address information requests to ICO; they are unable to assist with 
complaints to ICO, or to provide general advice about the legislation 
we oversee, as this work is done by other ICO departments. 


Our privacy notice explains what we do with the personal data you 
provide to us when you make an information request: 


Thank you for your interest in the work of the Information 
Commissioner's Office. 


Yours sincerely 


